SAP Web
AS ABAP User Management as Data Source 
Purpose
User Management Engine (UME) can use an SAP Web AS ABAP as its data source for user management data. This enables you to take advantage of the following:
· Users of the ABAP system are visible as users in the UME and can log on with their passwords from the ABAP system.
· Roles of the ABAP system are visible as groups in the UME. The hierarchy between collective roles and single roles is realized as nested group structures. New groups created with the J2EE Engine are created in the Java database.
Because of the different interpretations of the “contains in” relationship between ABAP and UME, the visual order of the groups is reversed. A group representing a collective role is a child element of the group representing a single role. In the ABAP system, the single roles are displayed as child elements of collective roles.
· User and role assignments in the ABAP system are shown as user and group assignments in the UME. You can use the ABAP roles for authorization management in the UME, by adding the groups representing the ABAP roles to the UME roles.
The data source configuration file is dataSourceConfiguration_abap.xml.
Prerequisites
The SAP Web AS ABAP must have release 6.20 SPS25 or higher.
Constraints
When you use an AS-ABAP system as the data source for user management data, the following constraints apply when using the tools on the J2EE Engine.
Password Administration
Due to the security policy of the AS-ABAP system, users can change their passwords only once per day. This is true, even if an administrator resets the user’s password. However, if the administrator provides a new password, the user can and must change his or her password the next time he or she logs on.
Read-Only and Read-Write Access to the ABAP User Management
The file dataSourceConfiguration_abap.xml grants the UME read-write access to the AS-ABAP system by default. However, as long as the system user (SAPJSF) has no ABAP role, or is assigned to an ABAP role with read-only access, the UME cannot write to the AS-ABAP system.
If the UME has read-only access, you cannot modify user attributes stored in the ABAP system, like first name, and last name. You can modify attributes stored in the UME database, like street. Even if read-only access is assigned, users can still change their own passwords.
If the UME has read-write access, you can create users using the J2EE Engine tools. They are stored as users in the AS-ABAP system. Extended user data that cannot be stored in the standard AS-ABAP user record is stored in the database of the UME.
To enable read-write access to the system user, assign the system user the ABAP role SAP_BC_JSF_COMMUNICATION. For more information, see Requirements for System User SAPJSF_<SID> in ABAP Systems.
You can activate the self-registration and maintain-own-profile functions provided by the UME. In this way users can change their e-mail address, which they cannot change using the tools provided in the ABAP system. For more information, see User Profile and Self-Registration.
User Administration
When you use the user administration tools of the J2EE Engine, certain limitations apply:
Limitations of User Search Criteria
User Search Criteria |
Limitations |
Creation date Date of last password change Last logon date |
The search only considers actions performed using the J2EE tools. For example, if a user last logged on using a J2EE application such as SAP Enterprise Portal on 11/26/03 and using a SAP GUI on 11/28/03, the search determines the 11/26/03 to be the user’s last logon date. This is because UME only stores data about user actions performed using J2EE tools. |
Street City State/Province Zip/Postal code |
The search only considers data stored in the UME tables of the J2EE Engine database. This data is different from the data stored in the ABAP user master data. |
Country Fax Form of address Language Telephone Time zone |
You cannot search for users on these criteria. |
Group Management
You cannot change groups that represent roles in the AS-ABAP system or change user assignments to these groups. To create new groups or change existing groups within the AS-ABAP system, use the transaction PFCG in the AS-ABAP system. New groups created with the UME are stored in the local database. You can assign users from the AS-ABAP system to these groups.
Limited Operations for the System User
The system user for communication with the AS-ABAP system cannot log on to the UME. This prevents the system user from being locked out due to failed logon attempts. For this system user no user management operations in the UME are possible.
UME Security Policy Configuration
We recommend that you configure the UME security policy to be the same as the settings in the AS-ABAP system. The only exception is the settings for locking users after invalid logon attempts. You should deactivate these settings in the UME so that the AS-ABAP system is responsible for locking users. For more information, see Security Policy. During an AS-ABAP + Java installation, these values are configured automatically.
For more information on the security policy settings in the AS-ABAP system, see Profile Parameters for Logon and Password (Login Parameters).
Changing Data Source
Once you have chosen this data source configuration, you cannot change to any other data source configuration. For details, see SAP Note 718383.
For more information about other data source configuration files, see Data Source Configuration Files.
Language of the System User
The system user (SAPJSF) is configured to use a specific language in the AS-ABAP system. The language setting used for the system user, determines the value of the user attribute salutation returned from the AS-ABAP system. We recommend that you configure the language of the system user to match the language preferred by a majority of the UME or Enterprise Portal users. Only make changes to the attribute salutation in the AS-ABAP system. For details, see SAP Note 866367.
Delay in the Display of ABAP Roles in the UME
If you create a new ABAP role or change the description of an existing ABAP role in the AS-ABAP system, these changes may not be visible in the UME for up to 30 minutes. The UME reads this data from the AS-ABAP system every 30 minutes. When the information appears is dependent upon when the UME last read the data. To force the UME to read the data from the AS-ABAP system, you must restart the AS-Java system.
Time Zone Mapping
The AS-ABAP and AS-Java systems use different concepts for displaying time zones. AS-ABAP uses generic regional designations, such as Central European Time (CET). AS-Java designates time zones by region and city, such as Europe/Rome and Europe/Berlin.
There is a default mapping of these two systems installed, which you cannot change, but you can override. To override the default mapping or add additional mappings, enter the time zone pairs under the property ume.r3.connection.<adapterid>.TimeZoneMapping. Enter comma separated pairs. Each pair defines a mapping from an ABAP time zone to a Java time zone and the reverse, Java to ABAP. You can have multiple entries for the same time zone, but only the last entry is used at runtime.
The following entries have been made to the time zone mapping property:
CET=Europe/Rome, CET=Europe/Berlin
If you view a user from the Java database in the AS-ABAP system, who has the time zone set to Europe/Rome or Europe/Berlin, you see the value as CET, as both these values are mapped to CET.
If you view a user from the AS-ABAP system in the UME, who has the time zone set to CET, you see the value as Europe/Berlin, because CET=Europe/Berlin comes after the other mapping.
Since different numbers of time zones exist in the AS-ABAP system (delivered and custom) and in the AS-Java system (depending on the Java runtime environment version and manufacturer), the mapping cannot cover all scenarios. If you specify a Java time none that is not supported by the current Java runtime environment, the entry is ignored and a warning is written to the log file of the security component.
Configuring the UME against the Central System of a CUA
The UME can connect to the central system of an AS-ABAP Central User Administration (CUA). The UME can view all users present in any system managed by the central system; however, the AS-ABAP users can only log on to the UME if they have a system assignment in the central system. When you create new users in the UME, this assignment is created automatically.
The UME can view only the roles that are present in the central system, that is, roles that are available in the transaction PFCG. Roles known to the central system in the value help for user/role-assignment for managed systems are not visible to the UME. From the UME, you can only view those user/group assignments made for the central system.
See also: